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Abstract 

We present two infinite families of APN functions on GF{2") where n 
is divisible by 3 but not 9. Our families contain two already known 
families as special cases. We also discuss the inequivalence proof (by 
computation) which shows that these functions are new. 
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a^ 

^ ■ 1 Introduction 

O 

Let L = GF{2'^) for some positive integer n. A function / : L — > L is said 

to be almost perfect nonlinear (APN) on L if the number of solutions in L 

r> \ of the equation 

c5: f{x + q) + f{x)=p 

is at most 2, for all p,q £ L, q ^ 0. Equivalently, / is APN if the set 
{f{x + q) + f{x) : X £ L} has size 2""-'^ for each q G L*. Clearly, as L has 
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characteristic 2, the number of solutions to the above equation must be an 
even number for any function / on L. 

APN functions were introduced in [13] by Nyberg, who defined them 
as the mappings with highest resistance to differential cryptanalysis. In 
other words, APN functions are those for which the plaintext difference 
X — y yields the ciphertext difference /(x) — f{y) with probability 1/2"^^. 
Since Nyberg's characterization, many papers have been written on APN 
functions, although not many different families of such functions are known. 

The main result of this paper is a construction of a new family of APN 
functions. 

Two functions f,g:L — > L are called extended affine (EA) equivalent 
if there exist affine permutations Ai , A2 and an affine map A such that 
g = AiofoA2 + A. 

Until recently, all known APN functions were EA equivalent to one of a 
short list of monomial functions, namely the Gold, Kasami- Welch, inverse, 
Welch, Niho and Dobbertin functions. For some time it was conjectured 
that this list was the complete list of APN functions up to EA equivalence. 

A more general notion of equivalence has been suggested in [10], which 
is referred to as Carlet-Charpin-Zinoviev (CCZ) equivalence. Two functions 
are called CCZ equivalent if the graph of one can be obtained from the graph 
of the other by an affine permutation of the product space. EA equivalence 
is a special case of CCZ equivalence. 

We say that / : L — > L is differentially m— uniform if the polynomial 
f{x + q) + f{x) +p has at most m roots in L, for any p,q £ L, q y^ 0. Then 
/ is APN on L if and only if it is differentially 2-uniform on L. Differential 
uniformity, and resistance to linear and differential attacks, are invariants 
of CCZ equivalence. 

In [7], Proposition 3, the authors express necessary and sufficient condi- 
tions for EA equivalence of functions in terms of CCZ equivalence and use 
this to construct several examples of APN functions that are CCZ equivalent 
to the Gold functions, but not EA equivalent to any monomial function. This 
showed that the original conjecture is false. The new question was whether 
all APN functions are CCZ equivalent to one on the list. 

In 2006 a sporadic example of a binomial APN function that is not 
CCZ equivalent to any power mapping was given in [12]. A family of APN 
binomials on fields F2n, where n is divisible by 3 but not 9, was presented 
in [3]. In [3] these have been shown to be EA inequivalent to any monomial 
function, and CCZ inequivalent to the Gold or Kasami-Welch functions. 



For the case n = 6, in |11] Dillon presented a list of CCZ inequivalent APN 
functions on G-F(2"), found by computer search. 

Below we list all the infinite families of non-monomial APN functions 
known at the time of writing. These families are all pairwise CCZ inequiv- 
alent. 
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1. 

where n = 3k, {k,3) = {s,3k) = 1, k > 3, i = sk mod 3, m = —i 
mod 3, a = t'^ ~^ and t is primitive (see Budaghyan, Carlet, Felke, 
Leander 131). 
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2. 

f{x)=x''+'+ax' 

where n = 4A;, (k, 2) = (s, 2k) = 1, k > 3, i = sk mod 4, m = 4 — i, 
a = t^ ^^ and t is primitive (see Budaghyan, Carlet, Leander [5j). This 
family generalizes an example found for n = 12 by Edel, Kyureghyan, 
Pott [12]. 
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fc-i 



ff \ 2^+1 , 2*= 2*+=+2* , Q 2*+! , Y^ 2'=+'+2' 






where n = 2k, a and (3 are primitive elements of GF{2'^), and 7j G 
GF{2^) for each i, and {k,s) = 1, A: is odd, s is odd (see Bracken, 
Byrne, Mar kin, McGuire [T]). 

4. 

/(x) =x^ + Tr{x^), 

over GF(2"), any n (see Budaghyan, Carlet, Leander [B]). 

5. 

j[x) = ux ^ -I- M X -I- tij; , 

where n = 3k, u is primitive, v G GF{2^), {s,3k) = 1, (3, fc) = 1 and 
3 divides k + s (see Bracken, Byrne, Markin, McGuire [1]). 



6. 



F{x) 



^2'=^2-'=+2'=+»^^^2^+l 



vx 



"+1 



where n = 3A;, s and k are positive integers with k + s divisible by 
three and (s, 3k) = (3, k) = 1, u is a primitive element of GF{2 ) and 
V G GF{2^) (this paper). 



7. 



F(x) 



2* 2-'=+2*+'' , 2"+! , 2-*= 



+i+W+ix2'=+^+2^ 



where re = 3A;, s and fc are positive integers with k + s divisible by 
three and {s, 3k) = (3, A;) = 1, u is a primitive element of GF{2^^) and 
v,w ^ GF{2^) with vw ^ 1 (this paper). 

In general, establishing CCZ equivalence of arbitrary functions is ex- 
tremely difficult. There are, however, a number of invariants of CCZ equiv- 
alence that can be useful in the classification of functions. A nice link with 
coding theory is that a pair of functions / and g on L are CCZ equivalent 
on L if and only if the binary codes with parity check matrices 



Hf 



are equivalent over GF{2), see |lj. Here Xj,/(xj) and ^'(xj) are expressions 
of Xi, f{xi) and g{xi) respectively as binary vectors of length re in L viewed 
as a GF{2) vector space and L = {xi, ...,X2"}. 

In this paper we introduce a new family of APN functions on fields of 
order 2^^ where k is not divisible by 3. The family of polynomials has the 
form 



1 


1 




1 


1 


Xi 


X2n 


, Hg = 


xi • 


X2" 


/(xi) • 
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• 5'(X2 



7— I / \ 2^ 

F[x) = u X 



^2-.+2.+. ^ ^^2.+i ^ 



o — fc I 1 o'^ 

VX + wu 



-1^2'=+ =+2'' 



with certain constraints on the integers s,k and on u,v,w S GF{2^^) (see 
Theorem 12. !( or Family 7 in the introduction). Curiously, setting w = 
gives a different family of trinomial APN functions (Family 6, see Section 
3). 

The layout of this paper is as follows. In the next section we show 
that our polynomials are indeed APN functions on GF(2 ). Using code 
equivalence, in Section 3 we explain the fact that these functions are not 
CCZ equivalent to any known APN functions when re = 12, and are therefore 
new. 



2 New APN functions 

The following theorem construct quadratic quadrinomial APN functions on 
GF{2"') whenever n is divisible by 3 but not 9. A quadratic monomial is one 
of the form x^'"''^^ for some integers i and j. Observe that if f{x) = x^'"^^^, 
then 

fix + q) + fix) + fiq) = x^\^' + x^'q^' 

is a linear function in x, whose kernel has the same size as any of its trans- 
lates, such as the solution set of fix) + /(x + q) = p m L, for any p G L. 
Because of this property, proving whether or not a quadratic polynomial is 
APN is more tangible than one that is not quadratic. For this reason, all of 
the recently discovered families of APN functions have been quadratic. 

We will show that our polynomial F(x) is APN by computing the size 
of the kernel of the corresponding linear map 

Fix + q) + Fix)+Fiq). 

Theorem 2.1 Let s and k be positive integers with k + s divisible by three 
and is, 3k) = (3, fc) = 1. Let u be a primitive element of GF i2^^) and let 
v,w G G-F(2 ) with vw ^ 1. Then the function 

Fix) = n2^2-'=+2'=+^ + ^^2=+l + ^^2-'=+! ^ ^^2'=+1^2'=+^+2= 

is APN over GF i2^^). 

Proof: 

We show that for every p and q (with g 7^ 0) in GFi2 ) the equation 

Fix) + Fix + q) = p 

has at most two solutions by counting the number of solutions to the equa- 
tion 

Fix)+Fix + q) + Fiq) =0. 

This gives 

Fix)+Fix + q)+Fiq) = u^'' ix^''^" q^''' + q^''^" x^''' ) + uix^" q + q^" x) 

+ f (x q + q x) + wu ix q + q x 

Replace x with xq to obtain 

n^ g^ +^ (x^ -Fx^ )+ug^+^(x^ +x) + vq'^ +^(x^ + x) 

+WU q (x + X ) = 0, 



and collect terms in x to get 



A(x) := (^-'=+1 + V^+i)x + (^-'=+1 + ^2'=^2-'=+2'=+=) 



X 



-k 



We write 



A(x) = Ax + Bx^'' + Cx^' + Dx^'^' 



where 



Clearly is a root of A(x). Moreover A(l) = A + B + C + D = Q. If we 
show that and 1 are the only solutions of A(x) = 0, then we will have 
proved that F{x) is APN on GF{2^^). 

First we demonstrate that none of A,B,C or D vanish for any q € 
Qjp(^2^ky_ If A = we have u = vq^ ~^° which implies v? = vq^'"^ \ 
By hypothesis, /c + s is divisible by 3, so that 1 — 2^^^ is divisible by 7, 
and hence q^~'^ " is a 7th power in GF{2 ). Since 3 does not divide k, 
7 does not divide 2*^ — 1, so the map x i-^ x^ is a permutation on GF{2^). 
Then v G GF{2^) can be expressed as a 7th power. This means that v? 
and hence n is a 7th power in GF(2 ). This gives a contradiction as 7 is 
a divisor of 2^^ — 1 and we chose u to be primitive in GF{2^^). We deduce 
that A ^ 0. Similar arguments show that B, G and D are all nonzero. 

Next we define the linearized polynomial: 

LeiT) := T + er^' + e^'+^T^'" . 

When T = 9x + x'^ and is a (2^' — l)-th power, a routine calculation 
verifies that Le{T) = for ah x G GF{2^^). Observe that 

A_ vq^ +^ + ug^''+^ _ v + uq^'^"^ _. 2«-2-'=n,i-2'= 

B ~ ^q2-'=+l+„2'=g2-'»+2fe+« - ^ + ^2'=g2'=+«-l -i^ + ^1 ) 

which gives 

La(^x + x^'"\=0. (1) 

Now 



Applying this to Equation [T] gives 



H{^)-H{^^''--s^'''^ 



2-^^2^ r< I n2"'= /l2'''+l\^2'' I /d2-'=+2'^d , 732"'= /i^2'''n 2''+^ 



We compute this as 

+(i?2-'^^/)2'= ^^2'^+i^2-'=)^2-'=+= ^ 0^ 

We substitute in the values of A,B,C, and D and after simplification we 
obtain the following 

[vw + l)uq ^^ [vq + uq ){u q ^ +u q ^ )x 

+ {vwA-\)u q (vq +uq ){u q ^ +uq ^ )x = 0. 

As we chose v and w such that v ^ w^^ and as j4 7^ we can divide 
the equation by (wit; + l)g^ +^(wg^ +u(7^*)u^ '^^q'^ ^+^°+-^ and take the 
expression to the 2~* power to obtain 



(1 + a-^'")x + {a^" + a-''-')x'' + (1 + a^-')x^'' = 0, (1) 

where a = u^ ^^q^ +^ '-2*-i_ jsJq^ -^^g consider Lc_{—^) = 0. We know 
Lcix"^" + ^x^*"^') = 0, as 

D ^ 

^ _ ^^^ g + ^g _ / _|_ -1 2-'=-2''\2'=-l 

D ~ u;u2'°+lg2'=+''+2» _^^2fe„2-fc+2fc+s — l""^ + ^ 9 ) 

This implies -^0(2)2^ + 752^^ )=0) which we compute as 

+ (C2"+2'=i? + I)2'=+l^-'=)^2-'=^Q_ 

A similar computation to the one used above will yield 

(1 + ar'^''')x + (1 + a)x^'' + (a + a~^"')x^"' = 0. (2) 



Now we combine equations (1) and (2) such that the terms in x^ cancel. 
This wiU give 

((1 + a~^'''){a + a-2"') + (1 + a-^''){l + a-'))x+ 

((a^"' + a-2'"')(a + a-^"') + (1 + a)(l + a-'))x^'^ = 
which is the same as 

((1 + a-2'-^)(a + a-2-') + (1 + a-^~'){l + a'~°)){x + x^') = 0. 

If we show that (1 + a-2'~')(a + a-^^") + (1 + a-2-')(l + a^'") / for ah 
possible values of a then we could conclude that x S GF{2^). To this end 
we consider the expression 

(1 + a-2'~')(a + a-2"') = (1 + a-2~')(l + a^"'). 

Rearranging we obtain 

il + a-^f' (l + af 



(1 + a-if-^ d + af 

This implies a is a (2*^+'^ — l)-th power which in turn implies that it is a 
seventh power. As a = u q ^ = u q^ '^ ' we see 

that if a is a seventh power then so is u^ ^^ but this is not possible as k is not 
divisible by three and u is primitive. We can now state that all solutions to 
A(x) = are in GF{2^). Applying this to our original expression for A(x) 
gives 

{uq^'+^ + u^\^-'+^'^'){x + x^')=Q. 

If uq^"'^^ + u^ q^ "''^ ° = then a = 1, but 1 is a seventh power, hence 
(x + x"^") = which implies x = or 1 as s is relatively prime to 3 A:. 

3 Equivalence 

It remains to show that the new family of APN functions introduced in this 
paper is indeed "new". We therefore need to demonstrate that these func- 
tions are not CCZ equivalent to any known APN function. Unfortunately 
no techniques currently exist for proving this by hand, and we resort to a 
demonstration by computer for small values of n. We attempt to show that 
the corresponding error-correcting codes are inequivalent, which is necessary 
and sufficient as we said in the introduction, and is proved in [1]. 



One standard method of proving two codes to be inequivalent is to show 
that they have a different weight distribution (if this is the case). However, 
ah the evidence shows that these codes ah have the same weight distribution 
as the code for the function x^ (we have proved this for Family 5 in [2j). We 
will use other invariants. 

Our quadrinomial Family 7 

t:^/ \ 2'" 2-'=+2'=+'' I 2"+! , 2-'=+l , 2'=+! 2'=+''+2'' 

r [x) = u X + ux + vx + wu x 

actually contains as a special case three of the families listed in the in- 
troduction, two of which are already known. These are the binomial Family 
1 when V = w = Q, and the trinomial Family 5 when ?; = 0, u; ^ 0. Family 
7 also contains Family 6 as a special case. We claim that these four families 
are pairwise CCZ inequivalent. 

For smaller dimensions than 12, CCZ equivalence can be directly deter- 
mined by testing equivalence of the asssociated codes with Magma. For the 
case n = 6 the polynomials introduced here take one of the following forms: 

ux^ + vu^x^^ + vx'^'^ + u'^x'^'^ 

S , 17, 4 24 

UX + vx + U X 
ux^ + uu^x^° + n^x^^ 

S 4 24 

UX + U X , 

for some primitive element u G GF{2^) and v G GF(4). In the first 3 
cases, the polynomials are CCZ equivalent to 

which appears in Dillon's list, and in the last instance the polynomial is 
CCZ equivalent to x^. Therefore, n = 6 is not a sufficiently large value of n 
to distinguish our four families, but does distinguish family 1 from families 
5,6,7. 

The next smallest possible value of n to consider is n = 12, so A; = 4. 
Example functions (with s = 5) from the four families are in the following 
table. 



Function 


Class 


^16^768 + ^^33 + ^257 + ^290^544 


Theorem |2.i| 
NEW (Family 7) 


^16^768 _^ ^^33 _^ ^257 


Theorem |2.1 1 with u / 0, w = 
NEW (Family 6) 


^16^768 + ^^33 + ^290^544 


Theorem |2.i| 

with V = 0, w j^O (Family 5) 


^16^768 _^ ^^33 


Theorem |2.1| 

V = w = (Family 1) 



Magma has a built in test for code equivalence, which is sufficient for 
n < VI. This test involves performing a backtrack search using the action 
of the automorphism group of the code on the words of minimum weight. 
However, for n = 12 each of these codes has 1,397,760 words of miniumum 
weight and this is beyond the capability of the Leon package PERM for code 
equivalence that is used in Magma and other systems. 

John Cannon, Gabi Nebe and Allan Steel proved these codes to be in- 
equivalent using a different approach. Firstly, the delta 2-rank of the four 
APN functions was determined. The first three functions were found to have 
delta 2-rank 7900 while the fourth has delta 2-rank 7816. Hence the fourth 
APN function is CCZ inequivalent to the first three. All four functions were 
then shown to be pairwise CCZ inequivalent using a new invariant based on 
combinatorial properties of the words of minimum weight of the codes. All 
computations were done using Magma. We refer the reader to [8] for details. 

In conclusion, [8J shows that our APN functions are new. 

Acknowledgements We thank John Cannon, Gabriele Nebe, and Allan 
Steel for their work on APN functions and Magma. 
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